Skip to content

OSG-SEC-2023-02-17 INFO OpenSSL vulnerability

Dear OSG Security Contacts,

Note: This announcement is informational only. We are not aware of any examples of the vulnerability being present in OSG systems or software. Our partners at the EGI Software Vulnerability Group sent out a message about this issue, so we've decided to also relay the details about CVE-2023-0286.

In OpenSSL there is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. [1]

IMPACTED VERSIONS:

OpenSSL versions 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

WHAT ARE THE VULNERABILITIES:

When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or cause a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, of which neither needs a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. In this case, this vulnerability is likely only to affect applications that have implemented their own functionality for retrieving CRLs over a network. [2]

RedHat have stated they aren't aware of any software in their distributions that are affected by this vulnerability, and that the vulnerability is likely to only affect applications that have implemented their own functionality for retrieving CRLs over a network. [3]

WHAT YOU SHOULD DO:

No actions are required at this time.

Updated openssl packages are NOT available for RHEL based distributions yet. [3] Updated openssl packages are available for Debian/Ubunutu distributions. [4]

If you are aware of any OSG systems or software that meet the specific criteria for the vulnerability, let the OSG Security Team know.

REFERENCES

[1] https://www.openssl.org/news/secadv/20230207.txt

[2] https://bugzilla.redhat.com/show_bug.cgi?id=2164440

[3] https://access.redhat.com/security/cve/cve-2023-0286

[4] https://ubuntu.com/security/CVE-2023-0286

Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team